Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: jenkins-nirt-alerts

Scan Information (show all):

Display: Showing Vulnerable Dependencies (click to show all)

Dependency CPE GAV Highest Severity CVE Count CPE Confidence Evidence Count
antlr-2.7.6.jar antlr:antlr:2.7.6   0 11
aopalliance-1.0.jar aopalliance:aopalliance:1.0   0 13
args4j-2.0.23.jar args4j:args4j:2.0.23   0 14
jffi-1.2.7-native.jar com.github.jnr:jffi:1.2.7   0 8
jffi-1.2.7-native.jar: jffi-1.2.dll   0 2
jffi-1.2.7-native.jar: jffi-1.2.dll   0 2
jffi-1.2.7.jar com.github.jnr:jffi:1.2.7   0 14
jnr-constants-0.8.5.jar com.github.jnr:jnr-constants:0.8.5   0 15
jnr-ffi-1.0.7.jar com.github.jnr:jnr-ffi:1.0.7   0 15
jnr-posix-3.0.1.jar com.github.jnr:jnr-posix:3.0.1   0 12
jnr-x86asm-1.0.2.jar com.github.jnr:jnr-x86asm:1.0.2   0 14
jsr305-1.3.9.jar com.google.code.findbugs:jsr305:1.3.9   0 14
guava-11.0.1.jar com.google.guava:guava:11.0.1   0 16
guice-4.0-beta-no_aop.jar com.google.inject:guice:4.0-beta   0 21
h2-1.3.176.jar com.h2database:h2:1.3.176   0 17
mailapi-1.5.6.jar cpe:/a:sun:javamail:1.5.6 com.sun.mail:mailapi:1.5.6   0 LOW 27
embedded_su4j-1.1.jar com.sun.solaris:embedded_su4j:1.1   0 13
txw2-20110809.jar com.sun.xml.txw2:txw2:20110809   0 16
commons-beanutils-1.8.3.jar cpe:/a:apache:commons_beanutils:1.8.3 commons-beanutils:commons-beanutils:1.8.3 High 1 LOW 23
commons-codec-1.8.jar commons-codec:commons-codec:1.8   0 24
commons-collections-3.2.2.jar cpe:/a:apache:commons_collections:3.2.2 commons-collections:commons-collections:3.2.2   0 LOW 26
commons-digester-2.1.jar commons-digester:commons-digester:2.1   0 23
commons-discovery-0.4.jar commons-discovery:commons-discovery:0.4   0 19
commons-fileupload-1.2.1.jar cpe:/a:apache:commons_fileupload:1.2.1 commons-fileupload:commons-fileupload:1.2.1 High 4 HIGHEST 21
commons-httpclient-3.1.jar cpe:/a:apache:commons-httpclient:3.1
cpe:/a:apache:httpclient:3.1
commons-httpclient:commons-httpclient:3.1 Medium 3 LOW 15
commons-io-2.4.jar commons-io:commons-io:2.4   0 24
commons-jelly-tags-fmt-1.0.jar commons-jelly:commons-jelly-tags-fmt:1.0   0 14
commons-jelly-tags-xml-1.1.jar commons-jelly:commons-jelly-tags-xml:1.1   0 18
commons-lang-2.6.jar commons-lang:commons-lang:2.6   0 23
commons-logging-1.1.3.jar commons-logging:commons-logging:1.1.3   0 24
javax.annotation-api-1.2.jar javax.annotation:javax.annotation-api:1.2   0 23
javax.inject-1.jar javax.inject:javax.inject:1   0 13
mail-1.4.4.jar cpe:/a:sun:javamail:1.4.4 javax.mail:mail:1.4.4   0 LOW 26
jstl-1.1.0.jar javax.servlet:jstl:1.1.0   0 15
stax-api-1.0-2.jar javax.xml.stream:stax-api:1.0-2   0 13
jaxen-1.1-beta-11.jar jaxen:jaxen:1.1-beta-11   0 17
jcommon-1.0.12.jar jfree:jcommon:1.0.12   0 14
jfreechart-1.0.9.jar jfree:jfreechart:1.0.9   0 14
jline-0.9.94.jar jline:jline:0.9.94   0 12
jline-0.9.94.jar: jline32.dll   0 2
jline-0.9.94.jar: jline64.dll   0 2
joda-time-1.6.jar joda-time:joda-time:1.6   0 22
log4j-1.2.9.jar log4j:log4j:1.2.9   0 10
sezpoz-1.9.jar net.java.sezpoz:sezpoz:1.9   0 14
ezmorph-1.0.6.jar net.sf.ezmorph:ezmorph:1.0.6   0 14
acegi-security-1.0.7.jar cpe:/a:acegisecurity:acegi-security:1.0.7 org.acegisecurity:acegi-security:1.0.7 Medium 1 HIGHEST 13
ant-launcher-1.8.3.jar org.apache.ant:ant-launcher:1.8.3   0 16
ant-1.8.3.jar org.apache.ant:ant:1.8.3   0 15
commons-compress-1.13.jar cpe:/a:apache:commons-compress:1.13 org.apache.commons:commons-compress:1.13   0 LOW 28
commons-lang3-3.3.2.jar org.apache.commons:commons-lang3:3.3.2   0 25
log4j-api-2.8.1.jar org.apache.logging.log4j:log4j-api:2.8.1   0 26
log4j-to-slf4j-2.8.1.jar org.apache.logging.log4j:log4j-to-slf4j:2.8.1   0 26
lucene-analyzers-common-4.7.2.jar org.apache.lucene:lucene-analyzers-common:4.7.2   0 18
lucene-core-4.7.2.jar org.apache.lucene:lucene-core:4.7.2   0 18
lucene-queries-4.7.2.jar org.apache.lucene:lucene-queries:4.7.2   0 18
lucene-queryparser-4.7.2.jar org.apache.lucene:lucene-queryparser:4.7.2   0 18
lucene-sandbox-4.7.2.jar org.apache.lucene:lucene-sandbox:4.7.2   0 18
doxia-sink-api-1.0.jar org.apache.maven.doxia:doxia-sink-api:1.0   0 19
maven-reporting-api-3.0.jar org.apache.maven.reporting:maven-reporting-api:3.0   0 19
maven-dependency-tree-2.2.jar org.apache.maven.shared:maven-dependency-tree:2.2   0 19
mina-core-2.0.5.jar org.apache.mina:mina-core:2.0.5   0 16
sshd-core-0.8.0.jar org.apache.sshd:sshd-core:0.8.0   0 22
velocity-1.7.jar org.apache.velocity:velocity:1.7   0 23
bcpkix-jdk15on-1.47.jar org.bouncycastle:bcpkix-jdk15on:1.47   0 21
bcprov-jdk15on-1.47.jar cpe:/a:bouncycastle:bouncy-castle-crypto-package:1.47
cpe:/a:bouncycastle:bouncy_castle_crypto_package:1.47
org.bouncycastle:bcprov-jdk15on:1.47 Medium 1 LOW 21
groovy-all-1.8.9.jar cpe:/a:apache:groovy:1.8.9 org.codehaus.groovy:groovy-all:1.8.9 High 2 HIGHEST 27
plexus-component-annotations-1.5.5.jar org.codehaus.plexus:plexus-component-annotations:1.5.5   0 17
plexus-utils-1.5.5.jar org.codehaus.plexus:plexus-utils:1.5.5   0 11
wstx-asl-3.2.9.jar org.codehaus.woodstox:wstx-asl:3.2.9   0 18
aether-util-0.9.0.M2.jar org.eclipse.aether:aether-util:0.9.0.M2   0 17
jansi-1.9.jar org.fusesource.jansi:jansi:1.9   0 19
jansi-1.9.jar: jansi.dll   0 1
jansi-1.9.jar: jansi.dll   0 1
javax.json-1.0.4.jar org.glassfish:javax.json:1.0.4   0 20
constant-pool-scanner-1.2.jar org.jenkins-ci:constant-pool-scanner:1.2   0 14
jenkins-war-1.561.jar: annotation-indexer-1.7.jar cpe:/a:jenkins:jenkins:1.7 org.jenkins-ci:annotation-indexer:1.7 High 62 LOW 12
jenkins-war-1.561.jar: bridge-method-annotation-1.9.jar com.infradna.tool:bridge-method-annotation:1.9   0 11
jenkins-war-1.561.jar: bytecode-compatibility-transformer-1.5.jar cpe:/a:jenkins:jenkins:1.5 org.jenkins-ci:bytecode-compatibility-transformer:1.5 High 62 LOW 10
jenkins-war-1.561.jar: cli-1.561.jar cpe:/a:jenkins:jenkins:1.561 org.jenkins-ci.main:cli:1.561 High 44 LOW 10
jenkins-war-1.561.jar: commons-collections-3.2.1.jar cpe:/a:apache:commons_collections:3.2.1 commons-collections:commons-collections:3.2.1 High 1 HIGHEST 23
jenkins-war-1.561.jar: commons-jelly-1.1-jenkins-20120928.jar org.jenkins-ci:commons-jelly:1.1-jenkins-20120928   0 10
jenkins-war-1.561.jar: commons-jexl-1.1-jenkins-20111212.jar org.jenkins-ci:commons-jexl:1.1-jenkins-20111212   0 13
jenkins-war-1.561.jar: crypto-util-1.1.jar cpe:/a:jenkins:jenkins:1.1 org.jenkins-ci:crypto-util:1.1 High 62 LOW 11
jenkins-war-1.561.jar: hamcrest-core-1.3.jar org.hamcrest:hamcrest-core:1.3   0 17
jenkins-war-1.561.jar: instance-identity-1.4.jar cpe:/a:jenkins:jenkins:1.4 org.jenkins-ci.modules:instance-identity:1.4 High 62 LOW 17
jenkins-war-1.561.jar: jcifs-1.3.17-kohsuke-1.jar org.samba.jcifs:jcifs:1.3.17-kohsuke-1   0 9
jenkins-war-1.561.jar: jenkins-core-1.561.jar cpe:/a:jenkins:jenkins:1.561 org.jenkins-ci.main:jenkins-core:1.561 High 44 LOW 10
jenkins-war-1.561.jar: jmdns-3.4.0-jenkins-3.jar   0 5
jenkins-war-1.561.jar: jna-3.3.0-jenkins-3.jar   0 9
jenkins-war-1.561.jar: jna-3.3.0-jenkins-3.jar: jnidispatch.dll   0 1
jenkins-war-1.561.jar: jna-3.3.0-jenkins-3.jar: jnidispatch.dll   0 1
jenkins-war-1.561.jar: json-lib-2.4-jenkins-2.jar org.kohsuke.stapler:json-lib:2.4-jenkins-2   0 12
jenkins-war-1.561.jar: junit-4.11.jar junit:junit:4.11   0 13
jenkins-war-1.561.jar: jzlib-1.1.3-kohsuke-1.jar cpe:/a:jcraft:jzlib:1.1.3 com.jcraft:jzlib:1.1.3-kohsuke-1   0 LOW 11
jenkins-war-1.561.jar: launchd-slave-installer-1.2.jar org.jenkins-ci.modules:launchd-slave-installer:1.2   0 17
jenkins-war-1.561.jar: memory-monitor-1.7.jar cpe:/a:jenkins:jenkins:1.7 org.jenkins-ci:memory-monitor:1.7 High 62 LOW 11
jenkins-war-1.561.jar: remoting-2.40.jar cpe:/a:jenkins:jenkins:2.40   0 LOW 8
jenkins-war-1.561.jar: robust-http-client-1.2.jar org.jvnet.robust-http-client:robust-http-client:1.2   0 11
jenkins-war-1.561.jar: slave-installer-1.3.jar cpe:/a:jenkins:jenkins:1.3 org.jenkins-ci.modules:slave-installer:1.3 High 62 LOW 17
jenkins-war-1.561.jar: slf4j-api-1.7.4.jar org.slf4j:slf4j-api:1.7.4   0 19
jenkins-war-1.561.jar: spring-core-2.5.6.SEC03.jar cpe:/a:pivotal:spring_framework:2.5.6.sec03
cpe:/a:pivotal_software:spring_framework:2.5.6.sec03
cpe:/a:springsource:spring_framework:2.5.6.sec03
cpe:/a:vmware:springsource_spring_framework:2.5.6.sec03
org.springframework:spring-core:2.5.6.SEC03 High 7 LOW 22
jenkins-war-1.561.jar: ssh-cli-auth-1.2.jar org.jenkins-ci.modules:ssh-cli-auth:1.2   0 17
jenkins-war-1.561.jar: sshd-1.6.jar org.jenkins-ci.modules:sshd:1.6   0 17
jenkins-war-1.561.jar: stapler-adjunct-codemirror-1.3.jar org.kohsuke.stapler:stapler-adjunct-codemirror:1.3   0 6
jenkins-war-1.561.jar: stapler-adjunct-timeline-1.4.jar org.kohsuke.stapler:stapler-adjunct-timeline:1.4   0 10
jenkins-war-1.561.jar: systemd-slave-installer-1.1.jar org.jenkins-ci.modules:systemd-slave-installer:1.1   0 17
jenkins-war-1.561.jar: task-reactor-1.4.jar cpe:/a:jenkins:jenkins:1.4 org.jenkins-ci:task-reactor:1.4 High 62 LOW 11
jenkins-war-1.561.jar: trilead-ssh2-build217-jenkins-3.jar org.jenkins-ci:trilead-ssh2:build217-jenkins-3   0 9
jenkins-war-1.561.jar: upstart-slave-installer-1.1.jar cpe:/a:jenkins:jenkins:1.1 org.jenkins-ci.modules:upstart-slave-installer:1.1 High 62 LOW 17
jenkins-war-1.561.jar: version-number-1.1.jar cpe:/a:jenkins:jenkins:1.1 org.jenkins-ci:version-number:1.1 High 62 LOW 10
jenkins-war-1.561.jar: windows-slave-installer-1.4.jar org.jenkins-ci.modules:windows-slave-installer:1.4   0 17
jenkins-war-1.561.jar: xstream-1.4.7-jenkins-1.jar org.jvnet.hudson:xstream:1.4.7-jenkins-1   0 21
jenkins-war-1.561.jar: winstone.jar cpe:/a:eclipse:jetty:2.3
cpe:/a:jetty:jetty:2.3
  0 LOW 7
jna-posix-1.0.3.jar org.jruby.ext.posix:jna-posix:1.0.3   0 12
jsoup-1.10.1.jar org.jsoup:jsoup:1.10.1   0 18
activation-1.1.1-hudson-1.jar org.jvnet.hudson:activation:1.1.1-hudson-1   0 13
commons-jelly-tags-define-1.0.1-hudson-20071021.jar org.jvnet.hudson:commons-jelly-tags-define:1.0.1-hudson-20071021   0 15
dom4j-1.6.1-hudson-3.jar org.jvnet.hudson.dom4j:dom4j:1.6.1-hudson-3   0 14
jtidy-4aug2000r7-dev-hudson-1.jar org.jvnet.hudson:jtidy:4aug2000r7-dev-hudson-1   0 14
libzfs-0.5.jar org.jvnet.libzfs:libzfs:0.5   0 16
localizer-1.10.jar org.jvnet.localizer:localizer:1.10   0 14
tiger-types-1.3.jar org.jvnet:tiger-types:1.3   0 12
winp-1.19.jar cpe:/a:killprocess:killprocess:1.19 org.jvnet.winp:winp:1.19 Medium 1 LOW 15
winp-1.19.jar: winp.dll   0 1
winp-1.19.jar: winp.x64.dll   0 2
access-modifier-annotation-1.4.jar org.kohsuke:access-modifier-annotation:1.4   0 14
akuma-1.9.jar org.kohsuke:akuma:1.9   0 15
asm3-3.3.0.jar org.kohsuke:asm3:3.3.0   0 17
asm5-5.0.1.jar org.kohsuke:asm5:5.0.1   0 14
j-interop-2.0.6-kohsuke-1.jar org.kohsuke.jinterop:j-interop:2.0.6-kohsuke-1   0 14
j-interopdeps-2.0.6-kohsuke-1.jar org.kohsuke.jinterop:j-interopdeps:2.0.6-kohsuke-1   0 13
libpam4j-1.6.jar org.kohsuke:libpam4j:1.6   0 15
stapler-adjunct-zeroclipboard-1.1.7-1.jar org.kohsuke.stapler:stapler-adjunct-zeroclipboard:1.1.7-1   0 12
stapler-groovy-1.224.jar org.kohsuke.stapler:stapler-groovy:1.224   0 17
stapler-jelly-1.224.jar org.kohsuke.stapler:stapler-jelly:1.224   0 16
stapler-jrebel-1.224.jar org.kohsuke.stapler:stapler-jrebel:1.224   0 15
stapler-1.224.jar org.kohsuke.stapler:stapler:1.224   0 15
trilead-putty-extension-1.2.jar cpe:/a:putty:putty:1.2 org.kohsuke:trilead-putty-extension:1.2   0 LOW 16
windows-package-checker-1.0.jar org.kohsuke:windows-package-checker:1.0   0 15
jbcrypt-0.3m.jar cpe:/a:mindrot:jbcrypt:0.3m org.mindrot:jbcrypt:0.3m   0 LOW 16
asm-analysis-4.0.jar org.ow2.asm:asm-analysis:4.0   0 15
asm-commons-4.0.jar org.ow2.asm:asm-commons:4.0   0 15
asm-tree-4.0.jar org.ow2.asm:asm-tree:4.0   0 15
asm-util-4.0.jar org.ow2.asm:asm-util:4.0   0 15
asm-4.0.jar org.ow2.asm:asm:4.0   0 15
dependency-check-core-1.4.5.jar org.owasp:dependency-check-core:1.4.5   0 18
dependency-check-core-1.4.5.jar: GrokAssembly.exe   0 1
dependency-check-maven-1.4.5.jar org.owasp:dependency-check-maven:1.4.5   0 18
dependency-check-utils-1.4.5.jar org.owasp:dependency-check-utils:1.4.5   0 18
jcifs-1.2.19.jar org.samba.jcifs:jcifs:1.2.19   0 13
jcl-over-slf4j-1.7.24.jar org.slf4j:jcl-over-slf4j:1.7.24   0 20
jul-to-slf4j-1.7.24.jar org.slf4j:jul-to-slf4j:1.7.24   0 19
log4j-over-slf4j-1.7.24.jar org.slf4j:log4j-over-slf4j:1.7.24   0 20
slf4j-api-1.7.24.jar org.slf4j:slf4j-api:1.7.24   0 20
slf4j-jdk14-1.7.4.jar org.slf4j:slf4j-jdk14:1.7.4   0 20
plexus-cipher-1.4.jar org.sonatype.plexus:plexus-cipher:1.4   0 17
plexus-sec-dispatcher-1.4.jar org.sonatype.plexus:plexus-sec-dispatcher:1.4   0 17
spring-core-4.3.7.RELEASE.jar cpe:/a:pivotal:spring_framework:4.3.7
cpe:/a:pivotal_software:spring_framework:4.3.7
cpe:/a:springsource:spring_framework:4.3.7
cpe:/a:vmware:springsource_spring_framework:4.3.7
org.springframework:spring-core:4.3.7.RELEASE   0 LOW 18
spring-dao-1.2.9.jar cpe:/a:pivotal:spring_framework:1.2.9
cpe:/a:pivotal_software:spring_framework:1.2.9
cpe:/a:springsource:spring_framework:1.2.9
cpe:/a:vmware:springsource_spring_framework:1.2.9
org.springframework:spring-dao:1.2.9 High 7 LOW 19
oro-2.0.8.jar oro:oro:2.0.8   0 11
relaxngDatatype-20020414.jar activemq:relaxngDatatype:20050407   0 13
stax-api-1.0.1.jar stax:stax-api:1.0.1   0 16
xpp3-1.1.4c.jar xpp3:xpp3:1.1.4c   0 15
plexus-utils-1.5.5.jar/META-INF/maven/org.codehaus.plexus/plexus-interpolation/pom.xml org.codehaus.plexus:plexus-interpolation:1.0   0 7
jansi-1.9.jar/META-INF/maven/org.fusesource.hawtjni/hawtjni-runtime/pom.xml org.fusesource.hawtjni:hawtjni-runtime:1.5   0 7
jansi-1.9.jar/META-INF/maven/org.fusesource.jansi/jansi-native/pom.xml org.fusesource.jansi:jansi-native:1.3   0 9
jenkins-war-1.561.jar: jenkins-cli.jar/META-INF/maven/commons-codec/commons-codec/pom.xml commons-codec:commons-codec:1.4   0 9
jenkins-war-1.561.jar: jenkins-cli.jar/META-INF/maven/args4j/args4j/pom.xml args4j:args4j:2.0.16   0 5
jenkins-war-1.561.jar: jenkins-cli.jar/META-INF/maven/org.jenkins-ci/trilead-ssh2/pom.xml org.jenkins-ci:trilead-ssh2:build214-jenkins-1   0 6
jenkins-war-1.561.jar: winstone.jar/META-INF/maven/org.jenkins-ci/winstone/pom.xml cpe:/a:jetty:jetty:2.3 org.jenkins-ci:winstone:2.3   0 LOW 5
jenkins-war-1.561.jar: winstone.jar/META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml cpe:/a:eclipse:jetty:8.1.13.v20130916 org.eclipse.jetty:jetty-io:8.1.13.v20130916   0 LOW 7
jenkins-war-1.561.jar: winstone.jar/META-INF/maven/org.eclipse.jetty.spdy/spdy-core/pom.xml cpe:/a:eclipse:jetty:8.1.13.v20130916
cpe:/a:jetty:jetty:8.1.13.v20130916
org.eclipse.jetty.spdy:spdy-core:8.1.13.v20130916   0 LOW 7

Dependencies

antlr-2.7.6.jar

File Path: /Users/andy/.m2/repository/antlr/antlr/2.7.6/antlr-2.7.6.jar
MD5: 97c6bb68108a3d68094eab0f67157962
SHA1: cf4f67dae5df4f9932ae7810f4548ef3e14dd35e
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

aopalliance-1.0.jar

Description: AOP Alliance

License:

Public Domain
File Path: /Users/andy/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar
MD5: 04177054e180d09e3998808efa0401c7
SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

args4j-2.0.23.jar

Description: args4j : Java command line arguments parser

License:

http://www.opensource.org/licenses/mit-license.php
File Path: /Users/andy/.m2/repository/args4j/args4j/2.0.23/args4j-2.0.23.jar
MD5: a57c4735f9b2c394dd278b94ee8e8aa0
SHA1: 422e5b898b573b4537fbf5564f58829c0382b029
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jffi-1.2.7-native.jar

File Path: /Users/andy/.m2/repository/com/github/jnr/jffi/1.2.7/jffi-1.2.7-native.jar
MD5: 812c5384ea62208236321244dcab54ad
SHA1: 4e8c876383acb37da4347902a0a775aefd51de09
Referenced In Project/Scope: jenkins-nirt-alerts:runtime

Identifiers

jffi-1.2.7-native.jar: jffi-1.2.dll

File Path: /Users/andy/.m2/repository/com/github/jnr/jffi/1.2.7/jffi-1.2.7-native.jar/jni/i386-Windows/jffi-1.2.dll
MD5: 841e60814ed6b2971a47b267aef1c58a
SHA1: 07d30c6407fefad8df4b6afc4d85f83e547975ca
Referenced In Project/Scope: jenkins-nirt-alerts:runtime

Identifiers

  • None

jffi-1.2.7-native.jar: jffi-1.2.dll

File Path: /Users/andy/.m2/repository/com/github/jnr/jffi/1.2.7/jffi-1.2.7-native.jar/jni/x86_64-Windows/jffi-1.2.dll
MD5: 5d80b61c1f9e31860c17b3a410948e7e
SHA1: 5ca292116336ee4ceed00d10e756afea580e62cf
Referenced In Project/Scope: jenkins-nirt-alerts:runtime

Identifiers

  • None

jffi-1.2.7.jar

Description: Java Foreign Function Interface

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/com/github/jnr/jffi/1.2.7/jffi-1.2.7.jar
MD5: e06351d38c8893bac3d0e54f0b095e14
SHA1: acda5c46140404e08b3526f39db1504874b34b4c
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jnr-constants-0.8.5.jar

Description: A set of platform constants (e.g. errno values)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/com/github/jnr/jnr-constants/0.8.5/jnr-constants-0.8.5.jar
MD5: cc7709e3bacd8fc5820726cd9dba542a
SHA1: f84cca9e21f1f763a9eaf33de3d6a66a20ed7af0
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jnr-ffi-1.0.7.jar

Description: A library for invoking native functions from java

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/com/github/jnr/jnr-ffi/1.0.7/jnr-ffi-1.0.7.jar
MD5: 73aeea2ddd36d6ec128802868e23ef1d
SHA1: ad98d2f600f0e680a4fb41bcb4a60078deb6f735
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jnr-posix-3.0.1.jar

Description:  Common cross-project/cross-platform POSIX APIs

License:

Common Public License - v 1.0: http://www-128.ibm.com/developerworks/library/os-cpl.html
GNU General Public License Version 2: http://www.gnu.org/copyleft/gpl.html
GNU Lesser General Public License Version 2.1: http://www.gnu.org/licenses/lgpl.html
File Path: /Users/andy/.m2/repository/com/github/jnr/jnr-posix/3.0.1/jnr-posix-3.0.1.jar
MD5: 4b72ad6a01e0b8c2668484e6c54c42f9
SHA1: 5ac18caed12108123c959c8acedef76ca4f28cb3
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jnr-x86asm-1.0.2.jar

Description: A pure-java X86 and X86_64 assembler

License:

MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /Users/andy/.m2/repository/com/github/jnr/jnr-x86asm/1.0.2/jnr-x86asm-1.0.2.jar
MD5: 00670735acb2a9d1421b506dc7d338bc
SHA1: 006936bbd6c5b235665d87bd450f5e13b52d4b48
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jsr305-1.3.9.jar

Description: JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/com/google/code/findbugs/jsr305/1.3.9/jsr305-1.3.9.jar
MD5: 1d5a772e400b04bb67a7ef4a0e0996d8
SHA1: 40719ea6961c0cb6afaeb6a921eaa1f6afd4cfdf
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

guava-11.0.1.jar

Description:  Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more. This project is a complete packaging of all the Guava libraries into a single jar. Individual portions of Guava can be used by downloading the appropriate module and its dependencies. Guava (complete) has only one code dependency - javax.annotation, per the JSR-305 spec.

File Path: /Users/andy/.m2/repository/com/google/guava/guava/11.0.1/guava-11.0.1.jar
MD5: 69a3d06554ebc3027c9432509a67ede2
SHA1: 57b40a943725d43610c898ac0169adf1b2d55742
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

guice-4.0-beta-no_aop.jar

Description:  Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more. This project is a complete packaging of all the Guava libraries into a single jar. Individual portions of Guava can be used by downloading the appropriate module and its dependencies. Guava (complete) has only one code dependency - javax.annotation, per the JSR-305 spec.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/com/google/inject/guice/4.0-beta/guice-4.0-beta-no_aop.jar
MD5: df5c4be0e94fca3787b42b5c15859ce2
SHA1: c192ad1c770999d998367132d7c041198198aa24
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

h2-1.3.176.jar

Description: H2 Database Engine

License:

The H2 License, Version 1.0: http://h2database.com/html/license.html
File Path: /Users/andy/.m2/repository/com/h2database/h2/1.3.176/h2-1.3.176.jar
MD5: 9c15d378136b31e4fd8f54561e90713a
SHA1: fd369423346b2f1525c413e33f8cf95b09c92cbd
Referenced In Project/Scope: jenkins-nirt-alerts:runtime

Identifiers

mailapi-1.5.6.jar

Description: JavaMail API (no providers)

License:

https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /Users/andy/.m2/repository/com/sun/mail/mailapi/1.5.6/mailapi-1.5.6.jar
MD5: 2d5d81cd7a3e1ca3caab3a3d70add6f7
SHA1: 8fe524d88c28362b50052200c28149bc8f1f45e4
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

embedded_su4j-1.1.jar

License:

MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: /Users/andy/.m2/repository/com/sun/solaris/embedded_su4j/1.1/embedded_su4j-1.1.jar
MD5: 754ab27a4bc4f2409d6cd9652f3ae3e0
SHA1: 9404130cc4e60670429f1ab8dbf94d669012725d
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

txw2-20110809.jar

File Path: /Users/andy/.m2/repository/com/sun/xml/txw2/txw2/20110809/txw2-20110809.jar
MD5: 67aa3d67701de0b808ff606e1756c8bb
SHA1: 46afa3f3c468680875adb8f2a26086a126c89902
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

commons-beanutils-1.8.3.jar

Description: BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
MD5: b45be74134796c89db7126083129532f
SHA1: 686ef3410bcf4ab8ce7fd0b899e832aaba5facf7
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

CVE-2014-0114  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Vulnerable Software & Versions: (show all)

commons-codec-1.8.jar

Description:  The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/commons-codec/commons-codec/1.8/commons-codec-1.8.jar
MD5: b87aa66fe75685c82d082e750ab51b2e
SHA1: af3be3f74d25fc5163b54f56a0d394b462dafafd
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

commons-collections-3.2.2.jar

Description: Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

commons-digester-2.1.jar

Description:  The Digester package lets you configure an XML to Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/commons-digester/commons-digester/2.1/commons-digester-2.1.jar
MD5: 528445033f22da28f5047b6abcd1c7c9
SHA1: 73a8001e7a54a255eef0f03521ec1805dc738ca0
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

commons-discovery-0.4.jar

Description: Commons Discovery

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: /Users/andy/.m2/repository/commons-discovery/commons-discovery/0.4/commons-discovery-0.4.jar
MD5: cdbb606faa974f9361a85d6df53aeb9f
SHA1: 9e3417d3866d9f71e83b959b229b35dc723c7bea
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

commons-fileupload-1.2.1.jar

Description:  The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/commons-fileupload/commons-fileupload/1.2.1/commons-fileupload-1.2.1.jar
MD5: 951b36984148fc4f4e901f06ab382273
SHA1: 384faa82e193d4e4b0546059ca09572654bc3970
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

CVE-2016-3092  

Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Vulnerable Software & Versions: (show all)

CVE-2016-1000031  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Apache Commons FileUpload DiskFileItem File Manipulation Remote Code Execution

Vulnerable Software & Versions:

CVE-2014-0050  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

Vulnerable Software & Versions: (show all)

CVE-2013-0248  

Severity: Low
CVSS Score: 3.3 (AV:L/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.

Vulnerable Software & Versions: (show all)

commons-httpclient-3.1.jar

Description: The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

License:

Apache License: http://www.apache.org/licenses/LICENSE-2.0
File Path: /Users/andy/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
MD5: 8ad8c9229ef2d59ab9f59f7050e846a5
SHA1: 964cd74171f427720480efdec40a7c7f6e58426a
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: commons-httpclient:commons-httpclient:3.1   Confidence:HIGHEST
  • cpe: cpe:/a:apache:commons-httpclient:3.1   Confidence:LOW   
  • cpe: cpe:/a:apache:httpclient:3.1   Confidence:LOW   

CVE-2015-5262  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

Vulnerable Software & Versions:

CVE-2014-3577  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

Vulnerable Software & Versions: (show all)

CVE-2012-6153  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.

Vulnerable Software & Versions: (show all)

commons-io-2.4.jar

Description:  The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar
MD5: 7f97854dc04c119d461fed14f5d8bb96
SHA1: b1b6ea3b7e4aa4f492509a4952029cd8e48019ad
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

commons-jelly-tags-fmt-1.0.jar

File Path: /Users/andy/.m2/repository/commons-jelly/commons-jelly-tags-fmt/1.0/commons-jelly-tags-fmt-1.0.jar
MD5: ff110c950c9fcf08e98a325f6708ba78
SHA1: 2107da38fdd287ab78a4fa65c1300b5ad9999274
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

commons-jelly-tags-xml-1.1.jar

Description: The Jelly XML Tag Library

File Path: /Users/andy/.m2/repository/commons-jelly/commons-jelly-tags-xml/1.1/commons-jelly-tags-xml-1.1.jar
MD5: 249d2afad4d419a8139549ca2ab8a05a
SHA1: cc0efc2ae0ff81ef7737afc786a0ce16a8540efc
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

commons-lang-2.6.jar

Description:  Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

commons-logging-1.1.3.jar

Description: Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/commons-logging/commons-logging/1.1.3/commons-logging-1.1.3.jar
MD5: 92eb5aabc1b47287de53d45c086a435c
SHA1: f6f66e966c70a83ffbdb6f17a0919eaf7c8aca7f
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

javax.annotation-api-1.2.jar

Description: Common Annotations for the JavaTM Platform API

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /Users/andy/.m2/repository/javax/annotation/javax.annotation-api/1.2/javax.annotation-api-1.2.jar
MD5: 75fe320d2b3763bd6883ae1ede35e987
SHA1: 479c1e06db31c432330183f5cae684163f186146
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

javax.inject-1.jar

Description: The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

mail-1.4.4.jar

Description: JavaMail API (compat)

License:

http://www.sun.com/cddl, https://glassfish.dev.java.net/public/CDDL+GPL.html
File Path: /Users/andy/.m2/repository/javax/mail/mail/1.4.4/mail-1.4.4.jar
MD5: f30453ae9ee252c802d349009742065f
SHA1: b907ef0a02ff6e809392b1e7149198497fcc8e49
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jstl-1.1.0.jar

File Path: /Users/andy/.m2/repository/javax/servlet/jstl/1.1.0/jstl-1.1.0.jar
MD5: ecc36a63c16bb2195198d24f2b803804
SHA1: bca201e52333629c59e459e874e5ecd8f9899e15
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

stax-api-1.0-2.jar

Description:  StAX is a standard XML processing API that allows you to stream XML data from and to your application.

License:

GNU General Public Library: http://www.gnu.org/licenses/gpl.txt
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.html
File Path: /Users/andy/.m2/repository/javax/xml/stream/stax-api/1.0-2/stax-api-1.0-2.jar
MD5: 7d18b63063580284c3f5734081fdc99f
SHA1: d6337b0de8b25e53e81b922352fbea9f9f57ba0b
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jaxen-1.1-beta-11.jar

Description: Jaxen is a universal Java XPath engine.

File Path: /Users/andy/.m2/repository/jaxen/jaxen/1.1-beta-11/jaxen-1.1-beta-11.jar
MD5: 6b0c65b0db4e60c6e5daadf65cac1192
SHA1: 81e32b8bafcc778e5deea4e784670299f1c26b96
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jcommon-1.0.12.jar

Description:  JCommon is a free general purpose Java class library that is used in several projects at www.jfree.org, including JFreeChart and JFreeReport.

License:

GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt
File Path: /Users/andy/.m2/repository/jfree/jcommon/1.0.12/jcommon-1.0.12.jar
MD5: 99bc885bb5c68be1c09ed23c997df5ac
SHA1: 737f02607d2f45bb1a589a85c63b4cd907e5e634
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jfreechart-1.0.9.jar

Description:  JFreeChart is a class library, written in Java, for generating charts. Utilising the Java2D APIs, it currently supports bar charts, pie charts, line charts, XY-plots and time series plots.

License:

GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt
File Path: /Users/andy/.m2/repository/jfree/jfreechart/1.0.9/jfreechart-1.0.9.jar
MD5: e40fdcd9dcf52833f3a9b2e63f1f438c
SHA1: 6e522aa603bf7ac69da59edcf519b335490e93a6
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jline-0.9.94.jar

Description: JLine is a java library for reading and editing user input in console applications. It features tab-completion, command history, password masking, customizable keybindings, and pass-through handlers to use to chain to other console applications.

License:

BSD: LICENSE.txt
File Path: /Users/andy/.m2/repository/jline/jline/0.9.94/jline-0.9.94.jar
MD5: 46235c960277206f00fe24714437bc89
SHA1: 99a18e9a44834afdebc467294e1138364c207402
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jline-0.9.94.jar: jline32.dll

File Path: /Users/andy/.m2/repository/jline/jline/0.9.94/jline-0.9.94.jar/jline/jline32.dll
MD5: b3d9a08ff70440ba3638a325512f2cd8
SHA1: 67a55d8f8ca4937d784d4334e554770adc2a1079
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • None

jline-0.9.94.jar: jline64.dll

File Path: /Users/andy/.m2/repository/jline/jline/0.9.94/jline-0.9.94.jar/jline/jline64.dll
MD5: d2f7b0db1231aac1846a857f5c0c4f2c
SHA1: e297e4e990ce820e64d41f3f27b9be90283f3f96
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • None

joda-time-1.6.jar

Description: Date and time library to replace JDK date handling.

License:

Apache 2: http://www.apache.org/licenses/
File Path: /Users/andy/.m2/repository/joda-time/joda-time/1.6/joda-time-1.6.jar
MD5: 3a9f0fe3f470e2490cb266cddba33492
SHA1: 5a18504e34c5cbe9259d6fd0123ccf6f16115a41
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

log4j-1.2.9.jar

File Path: /Users/andy/.m2/repository/log4j/log4j/1.2.9/log4j-1.2.9.jar
MD5: 6a44d84b72897f28189f4792e2015b93
SHA1: 55856d711ab8b88f8c7b04fd85ff1643ffbfde7c
Referenced In Project/Scope: jenkins-nirt-alerts:runtime

Identifiers

sezpoz-1.9.jar

File Path: /Users/andy/.m2/repository/net/java/sezpoz/sezpoz/1.9/sezpoz-1.9.jar
MD5: 251596403cce9ee350ec8c1a85aa062e
SHA1: f0f80cbb5794ddac228de03ecce7299d9ac7a758
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

ezmorph-1.0.6.jar

Description:  Simple java library for transforming an Object to another Object.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/net/sf/ezmorph/ezmorph/1.0.6/ezmorph-1.0.6.jar
MD5: 1fa113c6aacf3a01af1449df77acd474
SHA1: 01e55d2a0253ea37745d33062852fd2c90027432
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

acegi-security-1.0.7.jar

File Path: /Users/andy/.m2/repository/org/acegisecurity/acegi-security/1.0.7/acegi-security-1.0.7.jar
MD5: 355696bb2e3d3c9892543396271d4d79
SHA1: 72901120d299e0c6ed2f6a23dd37f9186eeb8cc3
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

CVE-2010-3700  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter.

Vulnerable Software & Versions: (show all)

ant-launcher-1.8.3.jar

File Path: /Users/andy/.m2/repository/org/apache/ant/ant-launcher/1.8.3/ant-launcher-1.8.3.jar
MD5: a9e66d25caae7c810a4f7014981ef501
SHA1: 0a22bcf9438c41828b04c13b052c4886606abac2
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

ant-1.8.3.jar

File Path: /Users/andy/.m2/repository/org/apache/ant/ant/1.8.3/ant-1.8.3.jar
MD5: 5c8acc130823219fe778b7c2f8d47912
SHA1: 077c746ecab048b9839c7a8e39e55fe8636c5b11
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

commons-compress-1.13.jar

Description:  Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/org/apache/commons/commons-compress/1.13/commons-compress-1.13.jar
MD5: 51d245f7f258de5fde39c2004a76bfe8
SHA1: 15c5e9584200122924e50203ae210b57616b75ee
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

commons-lang3-3.3.2.jar

Description:  Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/org/apache/commons/commons-lang3/3.3.2/commons-lang3-3.3.2.jar
MD5: 3128bf75a2549ebe38663401191bacab
SHA1: 90a3822c38ec8c996e84c16a3477ef632cbc87a3
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

log4j-api-2.8.1.jar

Description: The Apache Log4j API

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/org/apache/logging/log4j/log4j-api/2.8.1/log4j-api-2.8.1.jar
MD5: a2ad9b058b4b03d43f3cc301701654e4
SHA1: e801d13612e22cad62a3f4f3fe7fdbe6334a8e72
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

log4j-to-slf4j-2.8.1.jar

Description: The Apache Log4j binding between Log4j 2 API and SLF4J.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/org/apache/logging/log4j/log4j-to-slf4j/2.8.1/log4j-to-slf4j-2.8.1.jar
MD5: a5fa9b447a25b3824e8a1388d0744052
SHA1: 2ffbb13a6f6efc0c1a010b87c590d3ef5db465c4
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

lucene-analyzers-common-4.7.2.jar

Description: Additional Analyzers

File Path: /Users/andy/.m2/repository/org/apache/lucene/lucene-analyzers-common/4.7.2/lucene-analyzers-common-4.7.2.jar
MD5: cbc49dfc4ed6ee29db3a1ed5a84c5a9e
SHA1: 72017b7643f6e2389a140099a3fce198a569b599
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

lucene-core-4.7.2.jar

Description: Apache Lucene Java Core

File Path: /Users/andy/.m2/repository/org/apache/lucene/lucene-core/4.7.2/lucene-core-4.7.2.jar
MD5: 6ed7375bfe046610363a10915ce2dd8b
SHA1: c9ec1d5b48635aa032ca3d2c824dea0e6523a4a5
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

lucene-queries-4.7.2.jar

Description: Lucene Queries Module

File Path: /Users/andy/.m2/repository/org/apache/lucene/lucene-queries/4.7.2/lucene-queries-4.7.2.jar
MD5: fe815419a0aff3f76452ac516fffb680
SHA1: c357a2494e341f2680fccbf9e96138c7083aaad4
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

lucene-queryparser-4.7.2.jar

Description: Lucene QueryParsers module

File Path: /Users/andy/.m2/repository/org/apache/lucene/lucene-queryparser/4.7.2/lucene-queryparser-4.7.2.jar
MD5: e7c72fce30aae45d9e3ad43b24b2a58f
SHA1: 0ef6eb0d081065d3b69a4f097eec115a80f3a8f7
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

lucene-sandbox-4.7.2.jar

Description: Lucene Sandbox

File Path: /Users/andy/.m2/repository/org/apache/lucene/lucene-sandbox/4.7.2/lucene-sandbox-4.7.2.jar
MD5: a6e13813e4bf0d0053423a51b6588f4d
SHA1: 447747b4ddd1f2af2ae8a1759ada5988393e945c
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

doxia-sink-api-1.0.jar

Description: Doxia Sink API.

File Path: /Users/andy/.m2/repository/org/apache/maven/doxia/doxia-sink-api/1.0/doxia-sink-api-1.0.jar
MD5: 04067d1b5c9ac4447fd376632b13fba0
SHA1: 13f502f2fb1d4e2db6f19352c85b83277084bb98
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

maven-reporting-api-3.0.jar

Description: API to manage report generation.

File Path: /Users/andy/.m2/repository/org/apache/maven/reporting/maven-reporting-api/3.0/maven-reporting-api-3.0.jar
MD5: 48cd00abc388c5156879b335e869adab
SHA1: b2541dd07d08cd5eff9bd4554a2ad6a4198e2dfe
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

maven-dependency-tree-2.2.jar

Description: A tree-based API for resolution of Maven project dependencies

File Path: /Users/andy/.m2/repository/org/apache/maven/shared/maven-dependency-tree/2.2/maven-dependency-tree-2.2.jar
MD5: c9b2c60a0fd118c04595db246f3075a2
SHA1: 5d9ce6add7b714b8095f0e3e396c5e9f8c5dcfef
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

mina-core-2.0.5.jar

Description: Apache MINA is a network application framework which helps users develop high performance and highly scalable network applications easily. It provides an abstract event-driven asynchronous API over various transports such as TCP/IP and UDP/IP via Java NIO.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /Users/andy/.m2/repository/org/apache/mina/mina-core/2.0.5/mina-core-2.0.5.jar
MD5: 417f506402a9fdd9728574c881477a15
SHA1: 0e134a3761833a3c28c79331e806f64f985a9eec
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

sshd-core-0.8.0.jar

Description: The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /Users/andy/.m2/repository/org/apache/sshd/sshd-core/0.8.0/sshd-core-0.8.0.jar
MD5: f55d69fa49416a734a6ed2dcea3547b6
SHA1: 76af0d5f0716449eb1431f5dff3c99d2468902a3
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

velocity-1.7.jar

Description: Apache Velocity is a general purpose template engine.

File Path: /Users/andy/.m2/repository/org/apache/velocity/velocity/1.7/velocity-1.7.jar
MD5: 3692dd72f8367cb35fb6280dc2916725
SHA1: 2ceb567b8f3f21118ecdec129fe1271dbc09aa7a
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

bcpkix-jdk15on-1.47.jar

Description: The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 to JDK 1.7. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: /Users/andy/.m2/repository/org/bouncycastle/bcpkix-jdk15on/1.47/bcpkix-jdk15on-1.47.jar
MD5: a4316d3710840f4b7152b7ac1c904679
SHA1: cd204e6f26d2bbf65ff3a30de8831d3a1344e851
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

bcprov-jdk15on-1.47.jar

Description: The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: /Users/andy/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.47/bcprov-jdk15on-1.47.jar
MD5: 7749dd7eca4403fb968ddc484263736a
SHA1: b6f5d9926b0afbde9f4dbe3db88c5247be7794bb
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:bouncycastle:bouncy-castle-crypto-package:1.47   Confidence:LOW   
  • cpe: cpe:/a:bouncycastle:bouncy_castle_crypto_package:1.47   Confidence:LOW   
  • maven: org.bouncycastle:bcprov-jdk15on:1.47   Confidence:HIGHEST

groovy-all-1.8.9.jar

Description:  Commons CLI provides a simple API for presenting, processing and validating a command line interface.

File Path: /Users/andy/.m2/repository/org/codehaus/groovy/groovy-all/1.8.9/groovy-all-1.8.9.jar
MD5: b66c31348050017b46d90921d8312752
SHA1: 5396699e9d96c5c75d75ae95aa49acd5af048aac
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

CVE-2016-6497  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 Security Features

main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods.

Vulnerable Software & Versions:

CVE-2015-3253  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

Vulnerable Software & Versions: (show all)

plexus-component-annotations-1.5.5.jar

Description:  Plexus Component "Java 5" Annotations, to describe plexus components properties in java sources with standard annotations instead of javadoc annotations.

File Path: /Users/andy/.m2/repository/org/codehaus/plexus/plexus-component-annotations/1.5.5/plexus-component-annotations-1.5.5.jar
MD5: ef37dcdb84030422db428b63c4354e5b
SHA1: c72f2660d0cbed24246ddb55d7fdc4f7374d2078
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

plexus-utils-1.5.5.jar

File Path: /Users/andy/.m2/repository/org/codehaus/plexus/plexus-utils/1.5.5/plexus-utils-1.5.5.jar
MD5: 1036f5d94f13320c94e4be3a28be65d6
SHA1: 7bd031358c3d6d3a7aea2e4de03c0d34675c5d9d
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

wstx-asl-3.2.9.jar

Description: Woodstox is a high-performance XML processor that implements Stax (JSR-173) API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/org/codehaus/woodstox/wstx-asl/3.2.9/wstx-asl-3.2.9.jar
MD5: 8cb7d88faca2da5a3f9a3c50eee1fc3b
SHA1: c82b6e8f225bb799540e558b10ee24d268035597
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

aether-util-0.9.0.M2.jar

Description:  A collection of utility classes to ease usage of the repository system.

License:

http://www.eclipse.org/legal/epl-v10.html
File Path: /Users/andy/.m2/repository/org/eclipse/aether/aether-util/0.9.0.M2/aether-util-0.9.0.M2.jar
MD5: fc6315129d2e2063e2f2725e6337587f
SHA1: b957089deb654647da320ad7507b0a4b5ce23813
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jansi-1.9.jar

Description: Jansi is a java library for generating and interpreting ANSI escape sequences.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/org/fusesource/jansi/jansi/1.9/jansi-1.9.jar
MD5: 950339565ffb3fead0640e697cb9f3c7
SHA1: 3ce7490622cb94ae6293cd9b6ca3f617516a2696
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jansi-1.9.jar: jansi.dll

File Path: /Users/andy/.m2/repository/org/fusesource/jansi/jansi/1.9/jansi-1.9.jar/META-INF/native/windows32/jansi.dll
MD5: 1f2e782f590fd99e3e8820565a5d5efb
SHA1: da125d2255050e13db6a84325e40f5c20eae81af
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • None

jansi-1.9.jar: jansi.dll

File Path: /Users/andy/.m2/repository/org/fusesource/jansi/jansi/1.9/jansi-1.9.jar/META-INF/native/windows64/jansi.dll
MD5: f4f883eaf7f7413a085d9868511af8a9
SHA1: 5da042be27f3b6f0a8e6cff07ad678c6975726a4
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • None

javax.json-1.0.4.jar

Description: Default provider for JSR 353:Java API for Processing JSON

License:

https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /Users/andy/.m2/repository/org/glassfish/javax.json/1.0.4/javax.json-1.0.4.jar
MD5: 569870f975deeeb6691fcb9bc02a9555
SHA1: 3178f73569fd7a1e5ffc464e680f7a8cc784b85a
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

constant-pool-scanner-1.2.jar

Description: Simple utility to scan Java bytecode for class references in the constant pool.

License:

NetBeans CDDL/GPL: http://www.netbeans.org/cddl-gplv2.html
File Path: /Users/andy/.m2/repository/org/jenkins-ci/constant-pool-scanner/1.2/constant-pool-scanner-1.2.jar
MD5: a04ea81d440c7f10523b898c90dee1c9
SHA1: e5e0b7c7fcb67767dbd195e0ca1f0ee9406dd423
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jenkins-war-1.561.jar: annotation-indexer-1.7.jar

Description:  Creates index of annotations.

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/annotation-indexer-1.7.jar
MD5: 22c726dd6db1ab8250af5695e74494e6
SHA1: c7f4daa90d15a06ad8f792169383cb67677d150e
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.7   Confidence:LOW   
  • maven: org.jenkins-ci:annotation-indexer:1.7   Confidence:HIGH

CVE-2016-9299  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17 Code

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity: High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity: High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity: High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity: Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1806  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity: Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2058  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2013-0331  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2011-4344  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

jenkins-war-1.561.jar: bridge-method-annotation-1.9.jar

File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/bridge-method-annotation-1.9.jar
MD5: 4f2825c6e98a3ba60db8011c31c74c61
SHA1: 825c7d4d82024b0700ba013fcc5ad5f25d83e768
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: com.infradna.tool:bridge-method-annotation:1.9   Confidence:HIGH

jenkins-war-1.561.jar: bytecode-compatibility-transformer-1.5.jar

License:

The MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/bytecode-compatibility-transformer-1.5.jar
MD5: 63a82d216b28173f01bd511b8d55d26d
SHA1: 90750f3fbc72849502c50e46d85290986865863c
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.5   Confidence:LOW   
  • maven: org.jenkins-ci:bytecode-compatibility-transformer:1.5   Confidence:HIGH

CVE-2016-9299  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17 Code

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity: High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity: High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity: High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity: Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1806  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity: Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2058  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2013-0331  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2011-4344  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

jenkins-war-1.561.jar: cli-1.561.jar

File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/cli-1.561.jar
MD5: f936674d58cef7e869e2e650db97756e
SHA1: be86a9086c1428590dabec8f6195f91d1e379a0d
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.561   Confidence:LOW   
  • maven: org.jenkins-ci.main:cli:1.561   Confidence:HIGH

CVE-2016-9299  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17 Code

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity: High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity: High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity: High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity: Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1806  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity: Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

jenkins-war-1.561.jar: commons-collections-3.2.1.jar

Description: Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/commons-collections-3.2.1.jar
MD5: 13bc641afd7fd95e09b260f69c1e4c91
SHA1: 761ea405b9b37ced573d2df0d1e3a4e0f9edc668
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

CVE-2015-6420  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Vulnerable Software & Versions: (show all)

jenkins-war-1.561.jar: commons-jelly-1.1-jenkins-20120928.jar

Description: Jelly is a Java and XML based scripting engine. Jelly combines the best ideas from JSTL, Velocity, DVSL, Ant and Cocoon all together in a simple yet powerful scripting engine.

File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/commons-jelly-1.1-jenkins-20120928.jar
MD5: c0fc39ae35a97354654267c12d4f86c1
SHA1: 2720a0d54b7f32479b08970d7738041362e1f410
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: org.jenkins-ci:commons-jelly:1.1-jenkins-20120928   Confidence:HIGH

jenkins-war-1.561.jar: commons-jexl-1.1-jenkins-20111212.jar

Description: Jexl is an implementation of the JSTL Expression Language with extensions.

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/commons-jexl-1.1-jenkins-20111212.jar
MD5: 6ac1813e9e680f10aa01e5bfa06a7f22
SHA1: 0a990a77bea8c5a400d58a6f5d98122236300f7d
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: org.jenkins-ci:commons-jexl:1.1-jenkins-20111212   Confidence:HIGH

jenkins-war-1.561.jar: crypto-util-1.1.jar

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/crypto-util-1.1.jar
MD5: cbc79ca21a2445ee9486d8c21bf417d9
SHA1: 3a199a4c3748012b9dbbf3080097dc9f302493d8
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.1   Confidence:LOW   
  • maven: org.jenkins-ci:crypto-util:1.1   Confidence:HIGH

CVE-2016-9299  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17 Code

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity: High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity: High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity: High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity: Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1806  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity: Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2058  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2013-0331  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2011-4344  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

jenkins-war-1.561.jar: hamcrest-core-1.3.jar

Description:  This is the core API of hamcrest matcher framework to be used by third-party framework providers. This includes the a foundation set of matcher implementations for common operations.

File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/hamcrest-core-1.3.jar
MD5: 6393363b47ddcbba82321110c3e07519
SHA1: 42a25dc3219429f0e5d060061f71acb49bf010a0
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jenkins-war-1.561.jar: instance-identity-1.4.jar

Description: Maintains an RSA key pair that can serve as a foundation of authentication when communicating with Jenkins

License:

MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/instance-identity-1.4.jar
MD5: e92b4f38d4b28686fa274e0208f87537
SHA1: d54a7f8022e3a06d4d7505597982118b23cb641b
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.4   Confidence:LOW   
  • maven: org.jenkins-ci.modules:instance-identity:1.4   Confidence:HIGH

CVE-2016-9299  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17 Code

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity: High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity: High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity: High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity: Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1806  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity: Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2058  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2013-0331  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2011-4344  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

jenkins-war-1.561.jar: jcifs-1.3.17-kohsuke-1.jar

Description: JCIFS is an Open Source client library that implements the CIFS/SMB networking protocol in 100% Java

License:

GNU Lesser General Public License, version 2.1: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/jcifs-1.3.17-kohsuke-1.jar
MD5: 0fa1a11719cafbd3c902e50bc54a4d32
SHA1: 6c9114dc4075277d829ea09e15d6ffab52f2d0c0
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: org.samba.jcifs:jcifs:1.3.17-kohsuke-1   Confidence:HIGH

jenkins-war-1.561.jar: jenkins-core-1.561.jar

Description:  Contains the core Jenkins code and view files to render HTML.

File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/jenkins-core-1.561.jar
MD5: 27b55eb2211108ac460128592239d06b
SHA1: 2dad6ef189e4b9e074c4e3cecd0898e49827f902
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.561   Confidence:LOW   
  • maven: org.jenkins-ci.main:jenkins-core:1.561   Confidence:HIGH

CVE-2016-9299  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17 Code

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity: High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity: High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity: High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity: Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1806  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity: Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

jenkins-war-1.561.jar: jmdns-3.4.0-jenkins-3.jar

File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/jmdns-3.4.0-jenkins-3.jar
MD5: d01f9778ef41fe79ad93ea57c27d0573
SHA1: 264d0c402b48c365f34d072b864ed57f25e92e63
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • None

jenkins-war-1.561.jar: jna-3.3.0-jenkins-3.jar

File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/jna-3.3.0-jenkins-3.jar
MD5: d40166904b58282aa21508451d10e1d3
SHA1: 5b796a22377b19a758ebcaa71e02c34d847d00c6
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • None

jenkins-war-1.561.jar: jna-3.3.0-jenkins-3.jar: jnidispatch.dll

File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/jna-3.3.0-jenkins-3.jar/com/sun/jna/win32-amd64/jnidispatch.dll
MD5: 974608dd71ea3a19a14917f4cbcdf6cf
SHA1: 025d0d4f8f064de61dd84430c7f2cb17054db4ca
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • None

jenkins-war-1.561.jar: jna-3.3.0-jenkins-3.jar: jnidispatch.dll

File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/jna-3.3.0-jenkins-3.jar/com/sun/jna/win32-x86/jnidispatch.dll
MD5: c3dab70b8dfd36d161edb5dd0a058681
SHA1: eb7f7229c40c3d0a5812303752bdc66fe514d13c
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • None

jenkins-war-1.561.jar: json-lib-2.4-jenkins-2.jar

Description:  Java library for transforming beans, maps, collections, java arrays and XML to JSON.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/json-lib-2.4-jenkins-2.jar
MD5: 89af908e408eedc0c3abd5a1a08e29de
SHA1: 7f4f9016d8c8b316ecbe68afe7c26df06d301366
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: org.kohsuke.stapler:json-lib:2.4-jenkins-2   Confidence:HIGH

jenkins-war-1.561.jar: junit-4.11.jar

Description:  JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

License:

Common Public License Version 1.0: http://www.opensource.org/licenses/cpl1.0.txt
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/junit-4.11.jar
MD5: 3c42be5ea7cbf3635716abbb429cb90d
SHA1: 4e031bb61df09069aeb2bffb4019e7a5034a4ee0
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jenkins-war-1.561.jar: jzlib-1.1.3-kohsuke-1.jar

Description: JZlib is a re-implementation of zlib in pure Java

License:

BSD: http://www.jcraft.com/jzlib/LICENSE.txt
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/jzlib-1.1.3-kohsuke-1.jar
MD5: 7f94e1243c83cd90ea28e4bf0cc61eaa
SHA1: af5d27e1de29df05db95da5d76b546d075bc1bc5
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: com.jcraft:jzlib:1.1.3-kohsuke-1   Confidence:HIGH
  • cpe: cpe:/a:jcraft:jzlib:1.1.3   Confidence:LOW   

jenkins-war-1.561.jar: launchd-slave-installer-1.2.jar

Description: Adds a GUI option to install the JNLP slave agent under launchd

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/launchd-slave-installer-1.2.jar
MD5: a6998942af36816110db859228c60ca7
SHA1: 8ef06fc2a3d9436aa214e318c66cb6dc274440b8
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: org.jenkins-ci.modules:launchd-slave-installer:1.2   Confidence:HIGH

jenkins-war-1.561.jar: memory-monitor-1.7.jar

Description: Code for monitoring memory/swap usage

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/memory-monitor-1.7.jar
MD5: 50cc7fef1ada99d10a1907ddb415ad0b
SHA1: 6a9d5cf559b731bbda12a872e9652e8af7c53a8b
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.7   Confidence:LOW   
  • maven: org.jenkins-ci:memory-monitor:1.7   Confidence:HIGH

CVE-2016-9299  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17 Code

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity: High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity: High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity: High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity: Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1806  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity: Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2058  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2013-0331  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2011-4344  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

jenkins-war-1.561.jar: remoting-2.40.jar

File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/remoting-2.40.jar
MD5: 278b0e7ba3e6c83559bef91e26028f27
SHA1: 1af7369f21fb4fe3cca7601532d0abe84e03d2f3
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:2.40   Confidence:LOW   

jenkins-war-1.561.jar: robust-http-client-1.2.jar

Description: InputStream that hides automatic download retry

License:

MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/robust-http-client-1.2.jar
MD5: 33f540df15bd4a3324654a7a902207a2
SHA1: dee9fda92ad39a94a77ec6cf88300d4dd6db8a4d
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: org.jvnet.robust-http-client:robust-http-client:1.2   Confidence:HIGH

jenkins-war-1.561.jar: slave-installer-1.3.jar

Description: Base abstraction for platform-specific slave installer

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/slave-installer-1.3.jar
MD5: 7786deaf46a3aa5a535f982486cb3e30
SHA1: 1bfa193a0c1a5c3606236a4ba2b40f31927db0d5
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.3   Confidence:LOW   
  • maven: org.jenkins-ci.modules:slave-installer:1.3   Confidence:HIGH

CVE-2016-9299  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17 Code

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity: High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity: High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity: High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity: Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1806  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity: Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2058  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2013-0331  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2011-4344  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

jenkins-war-1.561.jar: slf4j-api-1.7.4.jar

Description: The slf4j API

File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/slf4j-api-1.7.4.jar
MD5: fe6474dc9ee70c418ef1df52e609810f
SHA1: b080da16832c1240acbf3f59f338a8e713705c0c
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jenkins-war-1.561.jar: spring-core-2.5.6.SEC03.jar

Description: Spring Framework: Core

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/spring-core-2.5.6.SEC03.jar
MD5: 5e06844478fd0e09db22bf39cf5cc308
SHA1: 644a23805a7ea29903bde0ccc1cd1a8b5f0432d6
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:pivotal:spring_framework:2.5.6.sec03   Confidence:LOW   
  • cpe: cpe:/a:pivotal_software:spring_framework:2.5.6.sec03   Confidence:LOW   
  • cpe: cpe:/a:springsource:spring_framework:2.5.6.sec03   Confidence:LOW   
  • cpe: cpe:/a:vmware:springsource_spring_framework:2.5.6.sec03   Confidence:LOW   
  • maven: org.springframework:spring-core:2.5.6.SEC03   Confidence:HIGHEST

CVE-2016-9878  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2014-1904  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

Vulnerable Software & Versions: (show all)

CVE-2014-0054  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Vulnerable Software & Versions: (show all)

CVE-2013-7315  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Vulnerable Software & Versions: (show all)

CVE-2013-6429  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Vulnerable Software & Versions: (show all)

CVE-2013-4152  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2011-2730  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."

Vulnerable Software & Versions: (show all)

jenkins-war-1.561.jar: ssh-cli-auth-1.2.jar

Description: Use the SSH private key on the client to authenticate the CLI clients

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/ssh-cli-auth-1.2.jar
MD5: d876683e63f9a70675296701dc487e50
SHA1: 7a5a675da6b91b8b6e03eabef25d4c34fbdb7c94
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: org.jenkins-ci.modules:ssh-cli-auth:1.2   Confidence:HIGH

jenkins-war-1.561.jar: sshd-1.6.jar

Description: Adds SSH server functionality to Jenkins, exposing CLI commands through it

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/sshd-1.6.jar
MD5: 10cdd1c62bba07e953efd532e48df8db
SHA1: 63f05d320727c3381b8a6fb4735c80c19ce271b2
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: org.jenkins-ci.modules:sshd:1.6   Confidence:HIGH

jenkins-war-1.561.jar: stapler-adjunct-codemirror-1.3.jar

License:

MIT License: http://codemirror.net/LICENSE
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/stapler-adjunct-codemirror-1.3.jar
MD5: 5ebb241efd642d6985b89d56b8d640c8
SHA1: fd1d45544400d2a4da6dfee9e60edd4ec3368806
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: org.kohsuke.stapler:stapler-adjunct-codemirror:1.3   Confidence:HIGH

jenkins-war-1.561.jar: stapler-adjunct-timeline-1.4.jar

License:

BSD License: http://simile.mit.edu/license.html
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/stapler-adjunct-timeline-1.4.jar
MD5: 39d5639b773184162378c855e7ea3f3e
SHA1: cb4664390d5f2fff8b4cdaee7d358b965be67fac
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: org.kohsuke.stapler:stapler-adjunct-timeline:1.4   Confidence:HIGH

jenkins-war-1.561.jar: systemd-slave-installer-1.1.jar

Description: Installs a slave agent a an systemd service (typically found on Linux).

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/systemd-slave-installer-1.1.jar
MD5: 4c89c44ca3c604a043253e7482b1d65f
SHA1: a9a4adb0480ec8942d031b0fff9005077b889875
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: org.jenkins-ci.modules:systemd-slave-installer:1.1   Confidence:HIGH

jenkins-war-1.561.jar: task-reactor-1.4.jar

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/task-reactor-1.4.jar
MD5: e102edb5dabfc6194eec1df6b6ee1baf
SHA1: b89e501a3bc64fe9f28cb91efe75ed8745974ef8
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.4   Confidence:LOW   
  • maven: org.jenkins-ci:task-reactor:1.4   Confidence:HIGH

CVE-2016-9299  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17 Code

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity: High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity: High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity: High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity: Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1806  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity: Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2058  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2013-0331  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2011-4344  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

jenkins-war-1.561.jar: trilead-ssh2-build217-jenkins-3.jar

Description: Ganymed SSH2 for Java is a library which implements the SSH-2 protocol in pure Java

License:

BSD style license: http://www.ganymed.ethz.ch/ssh2/LICENSE.txt
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/trilead-ssh2-build217-jenkins-3.jar
MD5: 686e7cc7b915a38f8a86a16c7e685ffa
SHA1: 06cb838766bf622bce84f651bdac51746de8e31e
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: org.jenkins-ci:trilead-ssh2:build217-jenkins-3   Confidence:HIGH

jenkins-war-1.561.jar: upstart-slave-installer-1.1.jar

Description: Installs a slave agent as upstart service

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/upstart-slave-installer-1.1.jar
MD5: 6c3cb93924d2eb1955b53318da4ce401
SHA1: a2ce1f49745d63c8520d50a0c6430afd377ece48
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.1   Confidence:LOW   
  • maven: org.jenkins-ci.modules:upstart-slave-installer:1.1   Confidence:HIGH

CVE-2016-9299  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17 Code

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity: High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity: High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity: High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity: Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1806  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity: Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2058  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2013-0331  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2011-4344  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

jenkins-war-1.561.jar: version-number-1.1.jar

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/version-number-1.1.jar
MD5: 09f7aa040d72c6793acf2a2197f17d07
SHA1: 19aaa284b3abaeb64c226bf6b5cb25b8ddf7379e
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.1   Confidence:LOW   
  • maven: org.jenkins-ci:version-number:1.1   Confidence:HIGH

CVE-2016-9299  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17 Code

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity: High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity: High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity: High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity: Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1806  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity: Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2058  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2013-0331  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity: Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2011-4344  

Severity: Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

jenkins-war-1.561.jar: windows-slave-installer-1.4.jar

Description: Adds a GUI option to install the JNLP slave agent as a Windows service

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/windows-slave-installer-1.4.jar
MD5: c4ed63e570c88568aafc7cffee1a112f
SHA1: 7f33383a9dcea75cb25a2ba802d9f411ec255d58
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: org.jenkins-ci.modules:windows-slave-installer:1.4   Confidence:HIGH

jenkins-war-1.561.jar: xstream-1.4.7-jenkins-1.jar

Description: XStream is a serialization library from Java objects to XML and back.

License:

http://xstream.codehaus.org/license.html
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/lib/xstream-1.4.7-jenkins-1.jar
MD5: 6b27008bd6cb5f4cc430e219d785313a
SHA1: 161ed1603117c2d37b864f81a0d62f36cf7e958a
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • maven: org.jvnet.hudson:xstream:1.4.7-jenkins-1   Confidence:HIGH

jenkins-war-1.561.jar: winstone.jar

File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/winstone.jar
MD5: c69d35d63928189097a3279bd70a3968
SHA1: fe16c87b9dbcf07267422520c37bb356198fb2e7
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:eclipse:jetty:2.3   Confidence:LOW   
  • cpe: cpe:/a:jetty:jetty:2.3   Confidence:LOW   

jna-posix-1.0.3.jar

Description:  Common cross-project/cross-platform POSIX APIs

License:

Common Public License - v 1.0: http://www-128.ibm.com/developerworks/library/os-cpl.html
GNU General Public License Version 2: http://www.gnu.org/copyleft/gpl.html
GNU Lesser General Public License Version 2.1: http://www.gnu.org/licenses/lgpl.html
File Path: /Users/andy/.m2/repository/org/jruby/ext/posix/jna-posix/1.0.3/jna-posix-1.0.3.jar
MD5: dd6d76a6f9a536e89abf377318cd67b2
SHA1: f480f20e540f1fa1e8ffcc5a1907b625b8da621c
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jsoup-1.10.1.jar

Description: jsoup HTML parser

License:

The MIT License: https://jsoup.org/license
File Path: /Users/andy/.m2/repository/org/jsoup/jsoup/1.10.1/jsoup-1.10.1.jar
MD5: 22202cc29a4e49e6642cbf06189186c6
SHA1: 645f1ad2f6f4cbad1cde4c483eae71e4051be6ef
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

activation-1.1.1-hudson-1.jar

Description: Java Activation Framework with patch

File Path: /Users/andy/.m2/repository/org/jvnet/hudson/activation/1.1.1-hudson-1/activation-1.1.1-hudson-1.jar
MD5: 8adfc4a9b8c3b2f7beae53e5ce8fdb73
SHA1: 7957d80444223277f84676aabd5b0421b65888c4
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

commons-jelly-tags-define-1.0.1-hudson-20071021.jar

Description: The Jelly Define Tag Library

File Path: /Users/andy/.m2/repository/org/jvnet/hudson/commons-jelly-tags-define/1.0.1-hudson-20071021/commons-jelly-tags-define-1.0.1-hudson-20071021.jar
MD5: 1d6763fb2a89c9fe54f75e69ded222f5
SHA1: 8b952d0e504ee505d234853119e5648441894234
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

dom4j-1.6.1-hudson-3.jar

Description: dom4j: the flexible XML framework for Java

File Path: /Users/andy/.m2/repository/org/jvnet/hudson/dom4j/dom4j/1.6.1-hudson-3/dom4j-1.6.1-hudson-3.jar
MD5: a23b58c54399beb86dd001ab794c7a9b
SHA1: 2ed473e75ae78c8515c487a31e06b96dbf24e3a2
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jtidy-4aug2000r7-dev-hudson-1.jar

Description:  JTidy is a Java port of HTML Tidy, a HTML syntax checker and pretty printer. Like its non-Java cousin, JTidy can be used as a tool for cleaning up malformed and faulty HTML. In addition, JTidy provides a DOM parser for real-world HTML. Hudson modifications: ===================== Removed SAX APIs

License:

Java HTML Tidy License: http://svn.sourceforge.net/viewvc/*checkout*/jtidy/trunk/jtidy/LICENSE.txt?revision=95
File Path: /Users/andy/.m2/repository/org/jvnet/hudson/jtidy/4aug2000r7-dev-hudson-1/jtidy-4aug2000r7-dev-hudson-1.jar
MD5: 1f014d4bfe25ab914f8bc45eb9371d10
SHA1: ad8553d0acfa6e741d21d5b2c2beb737972ab7c7
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

libzfs-0.5.jar

Description: libzfs for Java

License:

COMMON DEVELOPMENT AND DISTRIBUTION LICENSE: http://www.opensource.org/licenses/cddl1.txt
File Path: /Users/andy/.m2/repository/org/jvnet/libzfs/libzfs/0.5/libzfs-0.5.jar
MD5: bfcf793719ed18bf35ab0d2ffb1549ee
SHA1: 664ce46c0ce5e4ea1199a83d3971ee6c1e308815
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

localizer-1.10.jar

File Path: /Users/andy/.m2/repository/org/jvnet/localizer/localizer/1.10/localizer-1.10.jar
MD5: d594d2d0ba922edc0ff7faa2d9718eb7
SHA1: 718c3b66b51651be4cc66cec8ca83bfb7c6ced1b
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

tiger-types-1.3.jar

File Path: /Users/andy/.m2/repository/org/jvnet/tiger-types/1.3/tiger-types-1.3.jar
MD5: 3e12caa6bd5111671b5e321548d7700a
SHA1: c79388cdf653350d445976298a85937cbd23ae2e
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

winp-1.19.jar

Description: Kill process tree in Windows

License:

The MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: /Users/andy/.m2/repository/org/jvnet/winp/winp/1.19/winp-1.19.jar
MD5: ef7b104f5abf0b99c3b443d7fa6ffd6f
SHA1: 1f474a09dc1a2bc9238e24aa59b4c8850e1ad300
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:killprocess:killprocess:1.19   Confidence:LOW   
  • maven: org.jvnet.winp:winp:1.19   Confidence:HIGHEST

CVE-2005-2947  

Severity: Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)

Buffer overflow in KillProcess 2.20 and earlier allows user-assisted attackers to execute arbitrary code via an exe file with a long FileDescription in the version resource.

Vulnerable Software & Versions:

winp-1.19.jar: winp.dll

File Path: /Users/andy/.m2/repository/org/jvnet/winp/winp/1.19/winp-1.19.jar/winp.dll
MD5: 05748caa208c2539c24e67912d405091
SHA1: 43d60a4f83ba42d9bb10d18c46919c7ff3def21c
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • None

winp-1.19.jar: winp.x64.dll

File Path: /Users/andy/.m2/repository/org/jvnet/winp/winp/1.19/winp-1.19.jar/winp.x64.dll
MD5: 35a3f35d2ed629a6cec5b41dd1d280c3
SHA1: 683c07503cb9093cd665386a260fa49a0e629b34
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • None

access-modifier-annotation-1.4.jar

File Path: /Users/andy/.m2/repository/org/kohsuke/access-modifier-annotation/1.4/access-modifier-annotation-1.4.jar
MD5: 1afe6492b5fdb08b7bace3b4aaa6f4d0
SHA1: 734bb6a59541a42d1e8948cdf27f0cc1bf56d714
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

akuma-1.9.jar

License:

MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: /Users/andy/.m2/repository/org/kohsuke/akuma/1.9/akuma-1.9.jar
MD5: 478bd132aeb7b1ddbb2479800cbc6f18
SHA1: 52d4ab9047c52208df78f1694799f1f4a942c8a2
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

asm3-3.3.0.jar

Description: Redistribution of version 3.3 of the ASM Java bytecode manipulation framework (http://forge.ow2.org/projects/asm/), complete with source code and javadoc.

License:

BSD License: http://cvs.forge.objectweb.org/cgi-bin/viewcvs.cgi/*checkout*/asm/asm/LICENSE.txt
File Path: /Users/andy/.m2/repository/org/kohsuke/asm3/3.3.0/asm3-3.3.0.jar
MD5: df9944fc2ffb8aa25c59435d0e809b85
SHA1: 99d8f8e4bce5cbad5812e95cacdf388a37893fdd
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

asm5-5.0.1.jar

Description: ObjectWeb ASM package-renamed to isolate incompatibilities between major versions

License:

BSD License: http://asm.ow2.org/license.html
File Path: /Users/andy/.m2/repository/org/kohsuke/asm5/5.0.1/asm5-5.0.1.jar
MD5: 3fa9de5c3c3bb6847366d777b9e6c518
SHA1: 71ab0620a41ed37f626b96d80c2a7c58165550df
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

j-interop-2.0.6-kohsuke-1.jar

File Path: /Users/andy/.m2/repository/org/kohsuke/jinterop/j-interop/2.0.6-kohsuke-1/j-interop-2.0.6-kohsuke-1.jar
MD5: cf88331453c9050f0b2f058ec0baaeaa
SHA1: b2e243227608c1424ab0084564dc71659d273007
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

j-interopdeps-2.0.6-kohsuke-1.jar

File Path: /Users/andy/.m2/repository/org/kohsuke/jinterop/j-interopdeps/2.0.6-kohsuke-1/j-interopdeps-2.0.6-kohsuke-1.jar
MD5: a17335569fd2765c000e9d76116b0da9
SHA1: 778400517a3419ce8c361498c194036534851736
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

libpam4j-1.6.jar

License:

The MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: /Users/andy/.m2/repository/org/kohsuke/libpam4j/1.6/libpam4j-1.6.jar
MD5: b969f007d88efe99990c4026e032b334
SHA1: d2cc93c1ceb31d823a0fce3d2464593e9388c181
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

stapler-adjunct-zeroclipboard-1.1.7-1.jar

License:

MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /Users/andy/.m2/repository/org/kohsuke/stapler/stapler-adjunct-zeroclipboard/1.1.7-1/stapler-adjunct-zeroclipboard-1.1.7-1.jar
MD5: e2dba7d8ec5878def5e89cc361140944
SHA1: d02f6f5967ca688eed25b1968c9394d906cacb7a
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

stapler-groovy-1.224.jar

Description: Groovy binding for Stapler

File Path: /Users/andy/.m2/repository/org/kohsuke/stapler/stapler-groovy/1.224/stapler-groovy-1.224.jar
MD5: b150c563e16945a21a2a4030db67ebc0
SHA1: 1f427de6a352169f5dd9a3c9a4fc183d78f0ec35
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

stapler-jelly-1.224.jar

Description: Jelly binding for Stapler

File Path: /Users/andy/.m2/repository/org/kohsuke/stapler/stapler-jelly/1.224/stapler-jelly-1.224.jar
MD5: 8cd43ab70e5efd3aa652775f709a1fdf
SHA1: 86fe3114c8c2e2d95329d6443a304a28f68c6498
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

stapler-jrebel-1.224.jar

Description: JRebel reloading support for Stapler

File Path: /Users/andy/.m2/repository/org/kohsuke/stapler/stapler-jrebel/1.224/stapler-jrebel-1.224.jar
MD5: 4d8e3e9e0195dd31f90a8e1673aecf85
SHA1: 46674c3aa84f3ea672ecdad44378b5651c5f9681
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

stapler-1.224.jar

Description: Stapler HTTP request handling engine

File Path: /Users/andy/.m2/repository/org/kohsuke/stapler/stapler/1.224/stapler-1.224.jar
MD5: 565b8dadfb01cae18c1d43ce4ae15409
SHA1: e49ce0b58835c7d0706969f9f29a0198042f1f19
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

trilead-putty-extension-1.2.jar

Description: Loads SSH key in the PuTTY format

File Path: /Users/andy/.m2/repository/org/kohsuke/trilead-putty-extension/1.2/trilead-putty-extension-1.2.jar
MD5: aef481868db6ebe61a4cf38a6cdff1ee
SHA1: 0f2f41517e1f73be8e319da27a69e0dc0c524bf6
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

windows-package-checker-1.0.jar

File Path: /Users/andy/.m2/repository/org/kohsuke/windows-package-checker/1.0/windows-package-checker-1.0.jar
MD5: 657e7c796518905c5fe339dc614114b4
SHA1: c78a1cdb501e0437a3082989001953dedcff1452
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jbcrypt-0.3m.jar

Description:  jBCrypt is a Java implementation of OpenBSD's Blowfish password hashing code, as described in A Future-Adaptable Password Scheme by Niels Provos and David Mazières, by Damien Miller.

License:

ISC/BSD License
File Path: /Users/andy/.m2/repository/org/mindrot/jbcrypt/0.3m/jbcrypt-0.3m.jar
MD5: 5cc2288708d15dd43bc8681f5b5541b0
SHA1: fe2d9c5f23767d681a7e38fc8986b812400ec583
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:mindrot:jbcrypt:0.3m   Confidence:LOW   
  • maven: org.mindrot:jbcrypt:0.3m   Confidence:HIGHEST

asm-analysis-4.0.jar

File Path: /Users/andy/.m2/repository/org/ow2/asm/asm-analysis/4.0/asm-analysis-4.0.jar
MD5: ed783bcce7e90ec10c3deaa0944d3974
SHA1: 1c45d52b6f6c638db13cf3ac12adeb56b254cdd7
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

asm-commons-4.0.jar

File Path: /Users/andy/.m2/repository/org/ow2/asm/asm-commons/4.0/asm-commons-4.0.jar
MD5: b6e6837fed04d4a7bad291caad8756ea
SHA1: a839ec6737d2b5ba7d1878e1a596b8f58aa545d9
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

asm-tree-4.0.jar

File Path: /Users/andy/.m2/repository/org/ow2/asm/asm-tree/4.0/asm-tree-4.0.jar
MD5: 2911ebc15a90c3efc248671a2d511e98
SHA1: 67bd266cd17adcee486b76952ece4cc85fe248b8
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

asm-util-4.0.jar

File Path: /Users/andy/.m2/repository/org/ow2/asm/asm-util/4.0/asm-util-4.0.jar
MD5: 9b2e40069a269939c471a0b2c3c833ce
SHA1: d7a65f54cda284f9706a750c23d64830bb740c39
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

asm-4.0.jar

File Path: /Users/andy/.m2/repository/org/ow2/asm/asm/4.0/asm-4.0.jar
MD5: 322d8f88c5111af612df838c0191cd7e
SHA1: 659add6efc75a4715d738e73f07505246edf4d66
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

dependency-check-core-1.4.5.jar

Description: dependency-check-core is the engine and reporting tool used to identify and report if there are any known, publicly disclosed vulnerabilities in the scanned project's dependencies. The engine extracts meta-data from the dependencies and uses this to do fuzzy key-word matching against the Common Platfrom Enumeration (CPE), if any CPE identifiers are found the associated Common Vulnerability and Exposure (CVE) entries are added to the generated report.

File Path: /Users/andy/.m2/repository/org/owasp/dependency-check-core/1.4.5/dependency-check-core-1.4.5.jar
MD5: bbeddbad91868290103ed3990e8e0276
SHA1: 566cf2fee8b72852d4e5784997928d1e16817776
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

dependency-check-core-1.4.5.jar: GrokAssembly.exe

File Path: /Users/andy/.m2/repository/org/owasp/dependency-check-core/1.4.5/dependency-check-core-1.4.5.jar/GrokAssembly.exe
MD5: 6f37f0392fca42bebf891db0c66d629a
SHA1: 01b892bf2fd30629227f58b73ae8fc9110ca3bd0
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • None

dependency-check-maven-1.4.5.jar

Description: dependency-check-maven is a Maven Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.

File Path: /Users/andy/.m2/repository/org/owasp/dependency-check-maven/1.4.5/dependency-check-maven-1.4.5.jar
MD5: d44dbd782c52e7f87c1c90bdb74d810c
SHA1: ae387c8e4c8297d3fe9cf0f1915f2cf1eb0470bf
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

dependency-check-utils-1.4.5.jar

Description: dependency-check-utils is a collection of common utility classes used within dependency-check that might be useful in other projects.

File Path: /Users/andy/.m2/repository/org/owasp/dependency-check-utils/1.4.5/dependency-check-utils-1.4.5.jar
MD5: c9087ebae9731b15a02feb24f93f96e0
SHA1: 37ff09abaa7e5f85c0dda12d95baeb40a4bde2ab
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jcifs-1.2.19.jar

Description: JCIFS is an Open Source client library that implements the CIFS/SMB networking protocol in 100% Java

License:

GNU Lesser General Public License, version 2.1: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt
File Path: /Users/andy/.m2/repository/org/samba/jcifs/jcifs/1.2.19/jcifs-1.2.19.jar
MD5: bcaefdc4b6521ea530ec129811f363c8
SHA1: 333384030132b83c87943b5a03c8b4b307738ffa
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jcl-over-slf4j-1.7.24.jar

Description: JCL 1.2 implemented over SLF4J

File Path: /Users/andy/.m2/repository/org/slf4j/jcl-over-slf4j/1.7.24/jcl-over-slf4j-1.7.24.jar
MD5: c4f92652e13f3095fc95fcdcb5b514d7
SHA1: e6a8629079856a2aa7862c6327ccf6dd1988d7fc
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

jul-to-slf4j-1.7.24.jar

Description: JUL to SLF4J bridge

File Path: /Users/andy/.m2/repository/org/slf4j/jul-to-slf4j/1.7.24/jul-to-slf4j-1.7.24.jar
MD5: 8f13c04772e364c3ca0a1d9d979cc701
SHA1: 25a2be668cb2ad1d05d76c0773df73b4b53617fd
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

log4j-over-slf4j-1.7.24.jar

Description: Log4j implemented over SLF4J

License:

Apache Software Licenses: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/org/slf4j/log4j-over-slf4j/1.7.24/log4j-over-slf4j-1.7.24.jar
MD5: 196e88a341f9a807cca0630e8da46398
SHA1: 6ab46c51a3848286a0db3ba7b22037b3834c3c44
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

slf4j-api-1.7.24.jar

Description: The slf4j API

File Path: /Users/andy/.m2/repository/org/slf4j/slf4j-api/1.7.24/slf4j-api-1.7.24.jar
MD5: d18638036e314cdd66f04e2d248b7df9
SHA1: 3f6b4bd4f8dbe8d4bea06d107a3826469b85c3e9
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

slf4j-jdk14-1.7.4.jar

Description: SLF4J JDK14 Binding

File Path: /Users/andy/.m2/repository/org/slf4j/slf4j-jdk14/1.7.4/slf4j-jdk14-1.7.4.jar
MD5: b47920e8b18ffda26bd33f1e9c5e9a93
SHA1: 4fd74c1cd507e8df0a2b26b2be678c4e86b98bd2
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

plexus-cipher-1.4.jar

File Path: /Users/andy/.m2/repository/org/sonatype/plexus/plexus-cipher/1.4/plexus-cipher-1.4.jar
MD5: 7b2d6fcf0d5800d5b1ce09d98d98dcaf
SHA1: 50ade46f23bb38cd984b4ec560c46223432aac38
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

plexus-sec-dispatcher-1.4.jar

File Path: /Users/andy/.m2/repository/org/sonatype/plexus/plexus-sec-dispatcher/1.4/plexus-sec-dispatcher-1.4.jar
MD5: 0a46e5bc9bc2fbd3b68091066aff2737
SHA1: 43fde524e9b94c883727a9fddb8669181b890ea7
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

spring-core-4.3.7.RELEASE.jar

Description: Spring Core

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/org/springframework/spring-core/4.3.7.RELEASE/spring-core-4.3.7.RELEASE.jar
MD5: bfe2809bd044dc97cfca5db00e8ab1e4
SHA1: 54fa2db94cc7222edc90ec71354e47cd1dc07f7b
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:pivotal:spring_framework:4.3.7   Confidence:LOW   
  • cpe: cpe:/a:pivotal_software:spring_framework:4.3.7   Confidence:LOW   
  • cpe: cpe:/a:springsource:spring_framework:4.3.7   Confidence:LOW   
  • cpe: cpe:/a:vmware:springsource_spring_framework:4.3.7   Confidence:LOW   
  • maven: org.springframework:spring-core:4.3.7.RELEASE   Confidence:HIGHEST

spring-dao-1.2.9.jar

Description: Spring Framework: DAO

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/org/springframework/spring-dao/1.2.9/spring-dao-1.2.9.jar
MD5: 2396ea4e1942a5fc7950cd4478120ec7
SHA1: 6f90baf86fc833cac3c677a8f35d3333ed86baea
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

  • cpe: cpe:/a:pivotal:spring_framework:1.2.9   Confidence:LOW   
  • cpe: cpe:/a:pivotal_software:spring_framework:1.2.9   Confidence:LOW   
  • cpe: cpe:/a:springsource:spring_framework:1.2.9   Confidence:LOW   
  • cpe: cpe:/a:vmware:springsource_spring_framework:1.2.9   Confidence:LOW   
  • maven: org.springframework:spring-dao:1.2.9   Confidence:HIGHEST

CVE-2016-9878  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2014-1904  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

Vulnerable Software & Versions: (show all)

CVE-2014-0054  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Vulnerable Software & Versions: (show all)

CVE-2013-7315  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Vulnerable Software & Versions: (show all)

CVE-2013-6429  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Vulnerable Software & Versions: (show all)

CVE-2013-4152  

Severity: Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2011-2730  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."

Vulnerable Software & Versions: (show all)

oro-2.0.8.jar

File Path: /Users/andy/.m2/repository/oro/oro/2.0.8/oro-2.0.8.jar
MD5: 42e940d5d2d822f4dc04c65053e630ab
SHA1: 5592374f834645c4ae250f4c9fbb314c9369d698
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

relaxngDatatype-20020414.jar

File Path: /Users/andy/.m2/repository/relaxngDatatype/relaxngDatatype/20020414/relaxngDatatype-20020414.jar
MD5: fd667fbdaf3190bdd8aee4e8e2d12d5c
SHA1: de7952cecd05b65e0e4370cc93fc03035175eef5
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

stax-api-1.0.1.jar

Description: StAX API is the standard java XML processing API defined by JSR-173

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/stax/stax-api/1.0.1/stax-api-1.0.1.jar
MD5: 7d436a53c64490bee564c576babb36b4
SHA1: 49c100caf72d658aca8e58bd74a4ba90fa2b0d70
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

xpp3-1.1.4c.jar

Description: MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs such as Hotspot in JDK 1.4+.

License:

Indiana University Extreme! Lab Software License, vesion 1.1.1: http://www.extreme.indiana.edu/viewcvs/~checkout~/XPP3/java/LICENSE.txt
Public Domain: http://creativecommons.org/licenses/publicdomain
Apache Software License, version 1.1: http://www.apache.org/licenses/LICENSE-1.1
File Path: /Users/andy/.m2/repository/xpp3/xpp3/1.1.4c/xpp3-1.1.4c.jar
MD5: 6e3c39f391e4994888b7d0030f775804
SHA1: 9b988ea84b9e4e9f1874e390ce099b8ac12cfff5
Referenced In Project/Scope: jenkins-nirt-alerts:compile

Identifiers

plexus-utils-1.5.5.jar/META-INF/maven/org.codehaus.plexus/plexus-interpolation/pom.xml

File Path: /Users/andy/.m2/repository/org/codehaus/plexus/plexus-utils/1.5.5/plexus-utils-1.5.5.jar/META-INF/maven/org.codehaus.plexus/plexus-interpolation/pom.xml
MD5: 61795135733295c9aa438fda7b923db8
SHA1: 1074eabfbcbfb0decfe6f9ed0541668e114b9311

Identifiers

  • maven: org.codehaus.plexus:plexus-interpolation:1.0   Confidence:HIGH

jansi-1.9.jar/META-INF/maven/org.fusesource.hawtjni/hawtjni-runtime/pom.xml

Description: The API that projects using HawtJNI should build against.

File Path: /Users/andy/.m2/repository/org/fusesource/jansi/jansi/1.9/jansi-1.9.jar/META-INF/maven/org.fusesource.hawtjni/hawtjni-runtime/pom.xml
MD5: c9eeb38c93644fbcd48aaea6c675bbfc
SHA1: 14b1f7fb42a991328dcdde41d14517565739fb71

Identifiers

  • maven: org.fusesource.hawtjni:hawtjni-runtime:1.5   Confidence:HIGH

jansi-1.9.jar/META-INF/maven/org.fusesource.jansi/jansi-native/pom.xml

Description: Jansi is a java library for generating and interpreting ANSI escape sequences.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/andy/.m2/repository/org/fusesource/jansi/jansi/1.9/jansi-1.9.jar/META-INF/maven/org.fusesource.jansi/jansi-native/pom.xml
MD5: c20c6c9c0a32930b5a85171cb27550c7
SHA1: 659053e9d8e55a1b2484b7b5e738332ba1d32f29

Identifiers

  • maven: org.fusesource.jansi:jansi-native:1.3   Confidence:HIGH

jenkins-war-1.561.jar: jenkins-cli.jar/META-INF/maven/commons-codec/commons-codec/pom.xml

Description:  The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/jenkins-cli.jar/META-INF/maven/commons-codec/commons-codec/pom.xml
MD5: 3cc0238aa5958a2e74cfffc439761368
SHA1: 393db4ae967c6e831025d432632d1f72f7108b01

Identifiers

  • maven: commons-codec:commons-codec:1.4   Confidence:HIGH

jenkins-war-1.561.jar: jenkins-cli.jar/META-INF/maven/args4j/args4j/pom.xml

File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/jenkins-cli.jar/META-INF/maven/args4j/args4j/pom.xml
MD5: 914bc747cf2bc6f1288a373fcb61d7e1
SHA1: 92964c62acb80a62c35945573ecd05269e3ef028

Identifiers

  • maven: args4j:args4j:2.0.16   Confidence:HIGH

jenkins-war-1.561.jar: jenkins-cli.jar/META-INF/maven/org.jenkins-ci/trilead-ssh2/pom.xml

Description: Ganymed SSH2 for Java is a library which implements the SSH-2 protocol in pure Java

License:

BSD style license: http://www.ganymed.ethz.ch/ssh2/LICENSE.txt
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/WEB-INF/jenkins-cli.jar/META-INF/maven/org.jenkins-ci/trilead-ssh2/pom.xml
MD5: d8abf5c36595f264bdc49cef8fdf9f1f
SHA1: be85439b84dcffb9451c72cba1b90239d9d009b8

Identifiers

  • maven: org.jenkins-ci:trilead-ssh2:build214-jenkins-1   Confidence:HIGH

jenkins-war-1.561.jar: winstone.jar/META-INF/maven/org.jenkins-ci/winstone/pom.xml

Description: Winstone is a command line wrapper around Jetty

License:

GNU Lesser General Public License version 2.1: http://www.gnu.org/licenses/lgpl.html
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.html
File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/winstone.jar/META-INF/maven/org.jenkins-ci/winstone/pom.xml
MD5: 55f2cba017f450a1d35f027562a46917
SHA1: 9038e6333bf8820fa492ae677d9716a4dc3f314a

Identifiers

  • cpe: cpe:/a:jetty:jetty:2.3   Confidence:LOW   
  • maven: org.jenkins-ci:winstone:2.3   Confidence:HIGH

jenkins-war-1.561.jar: winstone.jar/META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml

File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/winstone.jar/META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml
MD5: dd6b5a08a5e9ea1dcfe03cab65cfcfc3
SHA1: 615a0c9e592ec4433e0947ad817347bdde05f9bd

Identifiers

  • cpe: cpe:/a:eclipse:jetty:8.1.13.v20130916   Confidence:LOW   
  • maven: org.eclipse.jetty:jetty-io:8.1.13.v20130916   Confidence:HIGH

jenkins-war-1.561.jar: winstone.jar/META-INF/maven/org.eclipse.jetty.spdy/spdy-core/pom.xml

File Path: /Users/andy/.m2/repository/org/jenkins-ci/main/jenkins-war/1.561/jenkins-war-1.561.jar/winstone.jar/META-INF/maven/org.eclipse.jetty.spdy/spdy-core/pom.xml
MD5: 8cc215ace25a007c9fb2cdf919a5c8db
SHA1: 29fe14e3fd0c4ca8249c509b6dd5918c33ea0c56

Identifiers

  • cpe: cpe:/a:eclipse:jetty:8.1.13.v20130916   Confidence:LOW   
  • cpe: cpe:/a:jetty:jetty:8.1.13.v20130916   Confidence:LOW   
  • maven: org.eclipse.jetty.spdy:spdy-core:8.1.13.v20130916   Confidence:HIGH


This report contains data retrieved from the National Vulnerability Database.